[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: `guix pull` over HTTPS
|
From: |
Marius Bakke |
|
Subject: |
Re: `guix pull` over HTTPS |
|
Date: |
Tue, 28 Feb 2017 15:59:42 +0100 |
|
User-agent: |
Notmuch/0.23.5 (https://notmuchmail.org) Emacs/25.1.1 (x86_64-unknown-linux-gnu) |
Leo Famulari <address@hidden> writes:
> On Sat, Feb 11, 2017 at 03:28:52PM +0100, Ludovic Courtès wrote:
>> Marius Bakke <address@hidden> skribis:
>> > I think having a separate 'le-certs' package that can verify the Lets
>> > Encrypt chain sounds like the easiest option. Presumably new
>> > intermediates etc will be known well in advance.
>>
>> That sounds more reasonable to me. Do you know what it would take to
>> get the whole LE chain in such a package? Would you like to give it a
>> try?
>
> I tried it. The next intermediate (also called the "backup") is already
> known.
>
> I've made it available here:
>
> https://github.com/lfam/le-certs
>
> You can try it out:
>
> $ echo | openssl s_client -CAfile /tmp/le-certs/le-certs.pem -CApath
> /tmp/le-certs -connect git.savannah.gnu.org:443
>
> Your feedback is requested!
Wow, this is cool!
$ SSL_CERT_FILE="" SSL_CERT_DIR="" guix pull
--url=https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz
Starting download of /tmp/guix-file.7U65Ts
From https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz...
ERROR: X.509 certificate of 'git.savannah.gnu.org' could not be verified:
signer-not-found
invalid
SSL_CERT_FILE="" SSL_CERT_DIR="/tmp/le-certs/" guix pull
--url=https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz
Starting download of /tmp/guix-file.wOblWP
From https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz...
….tar.gz 1.0MiB/s 00:11 | 11.1MiB transferred
unpacking '/gnu/store/p0gbr83a4g9qlk59vvxkw8gvrv1z8cnw-guix-latest.tar.gz'...
For some reason setting SSL_CERT_FILE to "le-certs.pem" does not work
for `guix download`, but having just the one file in SSL_CERT_DIR does.
That's good enough for me! Could you make this into a Guix package?
I wonder what happens if we simply switch %snapshot-url to HTTPS in
`guix/scripts/pull.scm`. How many users do not have SSL_CERT_DIR
configured? I think it would be sufficient to mention in the manual to
install one of "nss-certs" or "le-certs" before running `guix pull` for
the first time. How does that sound?
These certs are valid until at least 2020, so using a Guix release
snapshot of this package should work for a long time.
Some other tests:
$ CURL_CA_BUNDLE=/tmp/le-certs/le-certs.pem curl -sv https://nrk.no > /dev/null
* Rebuilt URL to: https://nrk.no/
* Trying 160.68.205.231...
* TCP_NODELAY set
* Connected to nrk.no (160.68.205.231) port 443 (#0)
* found 10 certificates in /tmp/le-certs/le-certs.pem
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
* server certificate verification failed. CAfile: /tmp/le-certs/le-certs.pem
CRLfile: none
* Closing connection 0
$ CURL_CA_BUNDLE=/tmp/le-certs/le-certs.pem curl -sv https://gnu.org > /dev/null
* Rebuilt URL to: https://gnu.org/
* Trying 208.118.235.148...
* TCP_NODELAY set
* Connected to gnu.org (208.118.235.148) port 443 (#0)
* found 10 certificates in /tmp/le-certs/le-certs.pem
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* server certificate verification OK
* server certificate status verification SKIPPED
* common name: gnu.org (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: CN=gnu.org
* start date: Wed, 15 Feb 2017 10:01:00 GMT
* expire date: Tue, 16 May 2017 10:01:00 GMT
* issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
* compression: NULL
$ GIT_SSL_CAINFO="" git clone --depth=1
https://git.savannah.gnu.org/git/guix.git
Cloning into 'guix'...
fatal: unable to access 'https://git.savannah.gnu.org/git/guix.git/': Problem
with the SSL CA cert(path? access rights?)
$ GIT_SSL_CAINFO=/tmp/le-certs/le-certs.pem git clone --depth=1
https://git.savannah.gnu.org/git/guix.git
Cloning into 'guix'...
remote: Counting objects: 1409, done.
signature.asc
Description: PGP signature
- Re: `guix pull` over HTTPS, (continued)
- Re: `guix pull` over HTTPS, Ludovic Courtès, 2017/02/10
- Re: `guix pull` over HTTPS, Marius Bakke, 2017/02/10
- Re: `guix pull` over HTTPS, Ludovic Courtès, 2017/02/10
- Re: `guix pull` over HTTPS, Marius Bakke, 2017/02/10
- Re: `guix pull` over HTTPS, ng0, 2017/02/10
- Re: `guix pull` over HTTPS, Ludovic Courtès, 2017/02/11
- Re: `guix pull` over HTTPS, Leo Famulari, 2017/02/11
- Re: `guix pull` over HTTPS, Ricardo Wurmus, 2017/02/11
- Re: `guix pull` over HTTPS, Ludovic Courtès, 2017/02/12
- Re: `guix pull` over HTTPS, Leo Famulari, 2017/02/28
- Re: `guix pull` over HTTPS,
Marius Bakke <=
- Re: `guix pull` over HTTPS, Leo Famulari, 2017/02/28
- Re: `guix pull` over HTTPS, Marius Bakke, 2017/02/28
- Re: `guix pull` over HTTPS, Marius Bakke, 2017/02/28
- Re: `guix pull` over HTTPS, Marius Bakke, 2017/02/28
- Re: `guix pull` over HTTPS, Marius Bakke, 2017/02/28
- Re: `guix pull` over HTTPS, Marius Bakke, 2017/02/28
- Re: `guix pull` over HTTPS, Marius Bakke, 2017/02/28
- Re: `guix pull` over HTTPS, Leo Famulari, 2017/02/28
- [PATCH] pull: Use HTTPS by default., Marius Bakke, 2017/02/28
- Re: [PATCH] pull: Use HTTPS by default., Leo Famulari, 2017/02/28